package com.haorui.lygyd.config;

import com.haorui.fileserver.FileSaveUtils;
import com.haorui.lygyd.authority.filter.JWTAuthenticationFilter;
import com.haorui.lygyd.authority.filter.XssFilter;
import com.haorui.lygyd.authority.provider.AccountAuthenticationProvider;
import com.haorui.lygyd.authority.provider.MemberAuthenticationProvider;
import com.haorui.lygyd.authority.provider.TokenAuthenticationProvider;
import com.haorui.lygyd.authority.service.AccountDetailService;
import com.haorui.lygyd.wxapi.utils.WXUserQRCode;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Configurable;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;

/**
 * Created with IntelliJ IDEA.
 * 创建人: 陈刚
 * 日期: 2017/8/10
 * 时间: 0:05
 * 功能：路由身份验证
 */
@Configurable
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private AccountDetailService accountDetailService;

    @Value("${wx.MPFileName}")
    private String mpFileName;
    @Autowired
    JWTAuthenticationFilter jwtAuthenticationFilter;
    @Autowired
    XssFilter xssFilter;
    @Autowired
    AccountAuthenticationProvider accountAuthenticationProvider;
    @Autowired
    MemberAuthenticationProvider memberAuthenticationProvider;
    @Autowired
    TokenAuthenticationProvider tokenAuthenticationProvider;

    @Autowired
    public void configureAuthentication(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        authenticationManagerBuilder
                .authenticationProvider(accountAuthenticationProvider)
                .authenticationProvider(memberAuthenticationProvider)
                .authenticationProvider(tokenAuthenticationProvider);

    }


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        if (mpFileName == null) {
            mpFileName = "null.txt";
        }
        http.authenticationProvider(tokenAuthenticationProvider)
                .addFilterAfter(xssFilter, AbstractPreAuthenticatedProcessingFilter.class)
                .addFilterAfter(jwtAuthenticationFilter, AbstractPreAuthenticatedProcessingFilter.class)

//                .addFilterAfter(requestAuthorityFilter,UsernamePasswordAuthenticationFilter.class)
                // 由于使用的是JWT，我们这里不需要csrf
                .csrf().disable()
                // 基于token，所以不需要session
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()

                .authorizeRequests()
                // 允许对于网站静态资源的无授权访问
                .antMatchers(
                        "/*.html",
                        "/favicon.ico",
                        "/**/*.html",
                        "/**/*.css",
                        "/**/*.js",
                        "/**/*.ttf",
                        "/**/*.zip",
                        "/**/code/**",
                        "/**/" + FileSaveUtils.accountPhotoPath + "/**",
                        "/**/" + FileSaveUtils.memberPhotoPath + "/**",
                        "/**/" + FileSaveUtils.goodsPhotoPath + "/**",
                        "/**/" + WXUserQRCode.wxMemberQRcode + "/**",
                        "/**/images/**"
                ).permitAll()
                .antMatchers(
                        "/login",
                        "/v2/**",
                        "/swagger-resources/**",
                        "/" + mpFileName,
                        "/**/fileauth.txt"
                ).permitAll()

                // 对于获取token的rest api要允许匿名访问
                .antMatchers("/auth/**")
                .permitAll()
                // 对于获取token的rest api要允许匿名访问
                .antMatchers("/wxbusi/**")
                .permitAll()
                .antMatchers(HttpMethod.OPTIONS).permitAll()
                // 除上面外的所有请求全部需要鉴权认证
                .anyRequest().authenticated();
    }

}
